WO2010079694A1 - Security monitoring method, security monitoring system, and security monitoring program - Google Patents
Security monitoring method, security monitoring system, and security monitoring program Download PDFInfo
- Publication number
- WO2010079694A1 WO2010079694A1 PCT/JP2009/071426 JP2009071426W WO2010079694A1 WO 2010079694 A1 WO2010079694 A1 WO 2010079694A1 JP 2009071426 W JP2009071426 W JP 2009071426W WO 2010079694 A1 WO2010079694 A1 WO 2010079694A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- information
- transmission
- observation
- policy
- knowledge
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Definitions
- the present invention relates to a security monitoring method, a security monitoring system, and a security monitoring program for acquiring a plurality of observation information representing a security state of a device and performing security judgment based on a policy based on the observation information.
- Patent Document 1 An example of a conventional security state monitoring system is described in Patent Document 1.
- a state verifier that checks whether a computer is safe is arranged in the computer, a state certificate that proves that the computer is secure is created in the computer to be checked, and the state is A certificate is being sent.
- this configuration it is possible to monitor whether or not each device is secure with a smaller communication volume than transmitting the state of each device.
- Patent Document 2 an example of agent technology for reducing the amount of communication is described in Patent Document 2.
- Patent Literature 2 when synchronizing data between agents or obtaining information held by other agents, which agent can be queried to obtain correct information? The amount of communication required to learn and search for agents is reduced.
- the first problem is that there is a large amount of transmission for transmitting detailed information of each device necessary for security monitoring.
- the second problem is that in the conventional method in which the transmission amount is reduced, one policy cannot be created by combining the states of a plurality of devices.
- An object of the present invention is to provide a security monitoring method, a security monitoring system, and a security monitoring program capable of monitoring the security of a plurality of devices with a small amount of communication.
- the security monitoring method of the present invention holds transmission information defined by representative information by collecting related observation information, determines whether security determination by policy is possible only by transmission information instead of observation information, If possible, send information instead of all or part of the observation information.
- the security monitoring system of the present invention A policy storage means for storing a policy as a reference for determining whether the monitored system is secure; In order to determine whether the monitored system is secure, observation information that is information on each device, and observation knowledge storage means that stores observation knowledge describing the determination method of the observation information, System analysis means for analyzing the state of the monitored system based on the observation knowledge stored in the observation knowledge storage means; Instead of transmitting all observation knowledge analyzed by the system analysis means, transmission knowledge storage means for storing a combination of transmission knowledge and observation information, which is knowledge to be transmitted, Receives observation knowledge analyzed by system analysis means, receives policy from policy storage means, and transmits transmission knowledge storage to determine whether sending information instead of sending individual observation information will affect policy judgment Transmission knowledge determination means for determining based on information stored in the means; And information transmission means for transmitting the observation information and the transmission information determined by the transmission knowledge determination means not to affect the policy determination.
- the system analysis unit determines that the transmission information should be transmitted by the transmission knowledge determination unit instead of the plurality of observation information observed by each device, the transmission information is transmitted instead of the plurality of observation information. Operates to send.
- the present invention has the following effects.
- the amount of information to be transmitted can be reduced.
- the reason is that, instead of sending all the observed information, information that can be judged to have no influence on policy judgment is sent together.
- FIG. 1 is a block diagram of a security monitoring system according to the first embodiment of this invention.
- FIG. 2 is a flowchart showing the operation of the security monitoring system according to the first embodiment.
- FIG. 3 is a block diagram of a security monitoring system according to the second embodiment of this invention.
- FIG. 4 is a flowchart showing the operation of the security monitoring system according to the second embodiment.
- FIG. 5 is a block diagram of a security monitoring system according to the third embodiment of this invention.
- FIG. 6 is a flowchart showing the operation of the security monitoring system of the third exemplary embodiment.
- FIG. 7 is a block diagram of an application example of the security monitoring system of the third embodiment.
- FIG. 8 is a table showing specific examples of observation knowledge.
- FIG. 9 is a table showing specific examples of observation information.
- FIG. 10 is a table showing a specific example of transmission knowledge.
- a security monitoring system includes a policy input unit 11, a policy storage unit 12, an observation knowledge storage unit 13, a system analysis unit 14, a transmission knowledge storage unit 15, and a transmission knowledge determination unit. 16 and an information transmission unit 17 are included.
- the policy input unit 11 is a means for the security monitor to input a policy that defines a secure state by combining observation information of each device.
- the policy storage unit 12 is a means for storing a policy defined using observation information, which is a criterion for determining whether the security monitoring target system is secure, which is input from the policy input unit 11.
- b1, b2, and b3 are values of observation information.
- P B1
- P may be composed of a plurality of rules, and may have a priority.
- any of p1, ..., pn can be established when judging a policy, but if one of them is judged in order from p1 and takes a true value, the subsequent rules This is a method for determining that the policy is true without making the above determination.
- the observation knowledge storage unit 13 includes system information necessary for determining the risk of the security monitoring target system, that is, observation information that is information on each device for determining whether it is secure, an analysis method for the observation information, Is a means for storing observation knowledge that describes.
- the system analysis unit 14 receives observation information including system information to be analyzed from the observation knowledge storage unit 13 and the analysis method thereof, analyzes the system configuration and state, and calculates the value of each observation information. Means for taking out from the monitored system.
- the value of each observation information is extracted by embedding a program in each device, or using means prepared in advance for management such as a CIM (Computer Integrated Manufacturing) database or SMTP (Simple Mail Transfer Protocol).
- CIM Computer Integrated Manufacturing
- SMTP Simple Mail Transfer Protocol
- the transmission knowledge storage unit 15 stores a combination of transmission information and observation information, which is knowledge to be transmitted, instead of transmitting all the observation information analyzed by the system analysis unit 14.
- the transmission knowledge storage unit 15 is linked to the observation information in the same device, the observation information of the same application, the observation information of the same service, etc.
- observation information such as the information that changes in value and the observation status that is considered to be changed at the same time when setting up equipment and services, etc.
- the transmission information that is defined as a state in which the grouped observation states are grouped together and the transmission knowledge that is a correspondence between the observation states collected at that time are stored. A specific example of transmission knowledge is shown in FIG.
- the transmission knowledge determination unit 16 receives the observation information analyzed by the system analysis unit 14, further receives a policy from the policy storage unit 12, and transmits transmission information instead of transmitting individual observation information. Determine if there is no impact.
- the combination of observation information that does not affect policy determination is stored as information, and when the combination stored in the transmission knowledge storage unit 15 has a matching information combination, The combination is determined as a combination that does not affect policy determination. That is, the transmission knowledge determination unit 16 receives the transmission knowledge from the transmission knowledge storage unit 15 and the policy from the policy storage unit 12, and is divided and used in the policy out of the grouped observation information included in the transmission knowledge.
- observation information that is always used in combination with a policy, and determining that transmission information is transmitted instead of observation information in that case, and that observation information is transmitted in other cases.
- a plurality of pieces of observation information can be collected into a smaller number of pieces of transmission information than the number of pieces of observation information that do not affect the policy determination result.
- the information transmitting unit 17 transmits the observation information and the transmission information determined to be transmitted by the transmission knowledge determining unit 16, that is, not affecting the policy determination, to the transmission knowledge converting unit (not shown).
- the transmission amount of the transmission information is smaller than the transmission amount of the plurality of observation information.
- Transmission information candidates may be determined, the number of observation states may be compared with the number of transmission information candidates, and the transmission information may be transmitted when the number of transmission information candidates is small.
- a policy is input using the policy input unit 11 and stored in the policy storage unit 12 (step 101).
- the system analysis unit 14 reads the observation knowledge from the observation knowledge storage unit 13, analyzes the system, inquires the observation target, and determines the value of the observation information (step 102).
- the transmission knowledge determination unit 16 determines whether to transmit transmission information or observation information based on the transmission knowledge and policy (step 103).
- the information transmission unit 17 transmits observation information and transmission information (step 104).
- the transmission knowledge determination unit 16 determines whether or not to transmit transmission information in which a plurality of pieces of observation information are collected within a range that does not affect policy determination. If it is determined that transmission information is to be transmitted, transmission information is transmitted instead of some observation information. Therefore, security can be monitored with a small amount of information transmission.
- the security monitoring system of the present embodiment includes a policy input unit 11, a policy storage unit 12, an observation knowledge storage unit 13, a system analysis unit 14, a transmission knowledge storage unit 15, and a transmission knowledge determination unit. 16, an information transmission unit 17, a transmission knowledge conversion unit 18, and a policy determination unit 19.
- the security monitoring system of this embodiment has a configuration in which a transmission knowledge conversion unit 18 and a policy determination unit 19 are added to the security monitoring system of the first embodiment.
- the transmission knowledge conversion unit 18 uses the observation information and transmission information transmitted by the information transmission unit 17 to determine whether or not they satisfy the policy.
- the observation information corresponding to the transmission information transmitted from the transmission unit 17 is read from the transmission knowledge storage unit 15, the observation information is replaced with the transmission information, and stored in the transmission knowledge storage unit 15.
- the transmission knowledge conversion unit 18 uses the observation information and the transmission information transmitted by the information transmission unit 17 to determine whether they satisfy a security policy that defines a secure combination of observation information.
- the policy determination unit 19 applies the transmission information and the observation information to the policy replaced with the transmission information transmitted by the information transmission unit 17 (substituting the value of each information), and determines whether the policy is satisfied.
- a policy is input using the policy input unit 11 and stored in the policy storage unit 12 (step 201).
- the system analysis unit 14 reads the observation knowledge from the observation knowledge storage unit 13, analyzes the system, and determines the value of the observation information (step 202).
- the transmission knowledge determination unit 16 determines whether to transmit transmission information or observation information based on the transmission knowledge and policy (step 203).
- the information transmission unit 17 transmits observation information and transmission information (step 204).
- the policy configured only by the observation information is converted to be configured by the observation information or transmission information transmitted by the information transmission unit 17 so that the policy can be determined (step 205).
- the policy determination unit 19 determines whether the monitored system satisfies the policy (step 206).
- the transmission knowledge determination unit 16 determines whether or not to transmit transmission information in which a plurality of pieces of observation information are collected as transmission information within a range that does not affect policy determination. If it is determined to transmit the transmission information, the transmission information is transmitted instead of some observation information, and it is determined whether the policy is satisfied from the transmission information and the observation information. Therefore, security can be monitored with a small amount of information transmission.
- the security monitoring system of this embodiment further includes a transmission knowledge generation unit 20 in the configuration of the security monitoring system of the second embodiment.
- the transmission knowledge generation unit 20 extracts the policy from the policy storage unit 12, defines a new state by combining a plurality of observation information among the observation information constituting the policy, and uses the transmission information instead of the plurality of observation information Even so, a combination that does not affect policy determination or does not increase the number of states is extracted, and the correspondence is stored in the transmission knowledge storage unit 15 as transmission knowledge.
- a combination of observation information that does not affect policy judgment or the number of states does not increase is the same observation information combination in the same device, or the combination of observation information.
- a part of the observation information to be configured is a combination of states that do not appear in other policies or are not used in combination with other observation information.
- a specific example of transmission knowledge is shown in FIG.
- a policy is input using the policy input unit 11 and stored in the policy storage unit 12 (step 301).
- the transmission knowledge generation unit 20 extracts from the input policy and observation knowledge what can be transmitted collectively from the observation information included in the policy, and newly associates the transmission information with the transmission knowledge storage unit 15 (Step 302).
- the system analysis unit 14 reads the observation knowledge from the observation knowledge storage unit 13, analyzes the system, and determines the value of the observation information (step 303).
- the subsequent steps are the same as in the second embodiment (step 304).
- This embodiment is configured to generate transmission information that can be associated with a plurality of observation information using a policy and observation knowledge. Therefore, it is possible to perform risk analysis with reduced communication volume without generating transmission knowledge in advance.
- the PC 1 and the network device 2 include a system analysis unit 14, a transmission knowledge determination unit 16, and an information transmission unit 17 that analyze each device.
- the system monitoring PC 3 includes a policy input unit 11, a policy storage unit 12, a policy determination unit 19, a transmission knowledge storage unit 15, a transmission knowledge conversion unit 18, and an observation knowledge storage unit 13.
- a user defines a secure state as a policy by combining observation information using a policy creation means (not shown).
- Observation information indicating filtering rules for network device 2 Deny # rule Observation information indicating filtering rules of firewall software installed on PC1: ClientFWStatus Observation information indicating the filtering rules of the OS installed on PC1: OSFWStatus Observation information indicating the network connection status of PC1: NetworkStatus Observation information representing the IP address of PC1: IPAddress
- a policy of applying filtering to external connections p1 or disconnecting the network if it cannot be done (p2) (here p1 is set to p2) (Assuming priority)
- p1 (IPAddress in Deny # rule)
- OSFWStatu enable
- the transmission knowledge determination unit 16 determines transmission information from the transmission knowledge and policy.
- ClientFWStatus, OSFWStatus, NetworkStatus, and IPAddress are associated with the transmission information pc11
- ClientFWStatus, OSFWStatus, NetworkStatus, and pc14 are associated with ClientFWStatus, OSFWStatus, NetworkStatus, and pc14.
- NetworkStatus and other observation information are divided into p1 and p2, so if you send pc11 or pc13 that summarizes NetworkStatus and other observation information, each of p1 and p2 cannot be judged.
- the security monitoring system described above records a program for realizing the function on a computer-readable recording medium, and causes the computer to read and execute the program recorded on the recording medium.
- the computer-readable recording medium refers to a recording medium such as a flexible disk, a magneto-optical disk, and a CD-ROM, and a storage device such as a hard disk device built in the computer system.
- the computer-readable recording medium is a medium that dynamically holds the program for a short time (transmission medium or transmission wave) as in the case of transmitting the program via the Internet, and in the computer serving as a server in that case Such as a volatile memory that holds a program for a certain period of time.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
監視対象システムがセキュアかどうかを判定する基準となるポリシーを格納したポリシー格納手段と、
監視対象システムがセキュアかどうかを判定するために、各機器の情報である観測情報と、その観測情報の判定方法を記述した観測知識が格納された観測知識格納手段と、
観測知識格納手段に格納された観測知識を元に監視対象システムの状態を分析するシステム分析手段と、
システム分析手段が分析したすべての観測知識を送信する代わりに、送信すべき知識である送信知識と観測情報との組み合わせを格納した送信知識格納手段と、
システム分析手段が分析した観測情報を受け取り、ポリシー格納手段からポリシーを受け取り、個々の観測情報を送信する代わりに送信情報を送信してもポリシーの判定に影響を与えないかどうかを、送信知識格納手段に格納された情報を基に判定する送信知識判定手段と、
観測情報と、送信知識判定手段が、ポリシーの判定に影響を与えないと判定した送信情報とを送信する情報送信手段と
を有する。 The security monitoring system of the present invention
A policy storage means for storing a policy as a reference for determining whether the monitored system is secure;
In order to determine whether the monitored system is secure, observation information that is information on each device, and observation knowledge storage means that stores observation knowledge describing the determination method of the observation information,
System analysis means for analyzing the state of the monitored system based on the observation knowledge stored in the observation knowledge storage means;
Instead of transmitting all observation knowledge analyzed by the system analysis means, transmission knowledge storage means for storing a combination of transmission knowledge and observation information, which is knowledge to be transmitted,
Receives observation knowledge analyzed by system analysis means, receives policy from policy storage means, and transmits transmission knowledge storage to determine whether sending information instead of sending individual observation information will affect policy judgment Transmission knowledge determination means for determining based on information stored in the means;
And information transmission means for transmitting the observation information and the transmission information determined by the transmission knowledge determination means not to affect the policy determination.
2 ネットワーク機器
3 システム監視用PC
11 ポリシー入力部
12 ポリシー格納部
13 観測知識格納部
14 システム分析部
15 送信知識格納部
16 送信知識判定部
17 情報送信部
18 送信知識変換部
19 ポリシー判定部
20 送信知識生成部
101~104、201~206、301~304 ステップ 1 PC
2 Network equipment
3 PC for system monitoring
11 Policy input section
12 Policy storage
13 Observation knowledge storage
14 System Analysis Department
15 Transmission knowledge storage
16 Transmission knowledge judgment unit
17 Information transmitter
18 Transmission knowledge converter
19 Policy judgment section
20 Transmission knowledge generator
101-104, 201-206, 301-304 steps
図1を参照すると、本実施形態のセキュリティ監視システムはポリシー入力部11とポリシー格納部12と観測知識格納部13とシステム分析部14と送信知識格納部15と送信知識判定部16と情報送信部17とを含む。 First Embodiment Referring to FIG. 1, a security monitoring system according to this embodiment includes a
図3を参照すると、本実施形態のセキュリティ監視システムはポリシー入力部11とポリシー格納部12と観測知識格納部13とシステム分析部14と送信知識格納部15と送信知識判定部16と情報送信部17と送信知識変換部18とポリシー判定部19とを含む。 Second Embodiment Referring to FIG. 3, the security monitoring system of the present embodiment includes a
図5を参照すると、本実施形態のセキュリティ監視システムは、第2の実施形態のセキュリティ監視システムの構成に送信知識生成部20をさらに有している。 Third Embodiment Referring to FIG. 5, the security monitoring system of this embodiment further includes a transmission
ネットワーク機器2のフィルタリングルールを表す観測情報:Deny#rule
PC1に導入されたファイアウォールソフトのフィルタリングルールを表す観測情報:ClientFWStatus
PC1に導入されたOSのフィルタリングルールを表す観測情報:OSFWStatus
PC1のネットワーク接続状態を表す観測情報:NetworkStatus
PC1のIPアドレスをあらわす観測情報:IPAddress For example, consider the following observation information:
Observation information indicating filtering rules for network device 2: Deny # rule
Observation information indicating filtering rules of firewall software installed on PC1: ClientFWStatus
Observation information indicating the filtering rules of the OS installed on PC1: OSFWStatus
Observation information indicating the network connection status of PC1: NetworkStatus
Observation information representing the IP address of PC1: IPAddress
p1 = (IPAddress in Deny#rule)∨(ClientFWStatus = enable)∨(OSFWStatu=enable)
p2 = (NetworkStatus = disable) As a policy using these monitoring states, for example, a policy of applying filtering to external connections (p1) or disconnecting the network if it cannot be done (p2) (here p1 is set to p2) (Assuming priority)
p1 = (IPAddress in Deny # rule) ∨ (ClientFWStatus = enable) ∨ (OSFWStatu = enable)
p2 = (NetworkStatus = disable)
(ClientFWStatus = enable)∨(OSFWStatu=enable)
また、本ポリシーには、この部分以外にClientFWStatusとOSFWStatuは出現しないため、この部分の判定結果をまとめて送付してもポリシーの判定には影響しない。そこで、(ClientFWStatus = enable)∨(OSFWStatu=enable)をまとめてpc14として、pc14の値だけを送信する。 Next, the transmission
(ClientFWStatus = enable) ∨ (OSFWStatu = enable)
In addition to this part, ClientFWStatus and OSFWStatu do not appear in this policy, so sending judgment results in this part together does not affect the policy judgment. Therefore, (ClientFWStatus = enable) ∨ (OSFWStatu = enable) is collectively set as pc14, and only the value of pc14 is transmitted.
Claims (15)
- 機器のセキュリティ状態を表す観測情報を複数取得し、前記観測情報に基づいてポリシーによるセキュリティ判定をするセキュリティ監視方法であって、
関連性のある観測情報をまとめて代表情報で定義した送信情報を保持し、
前記観測情報の代わりに前記送信情報だけでもポリシーによるセキュリティ判定が可能か否かを判断し、
可能な場合前記観測情報の全部または一部の代わりに前記送信情報を送信する、
セキュリティ監視方法。 A security monitoring method for acquiring a plurality of observation information indicating a security state of a device, and performing security judgment based on a policy based on the observation information,
Hold the transmission information defined in the representative information together with related observation information,
Determine whether security determination by policy is possible only with the transmission information instead of the observation information,
Sending the transmission information instead of all or part of the observation information, if possible,
Security monitoring method. - 前記送信情報の伝送量は、前記複数の観測情報の伝送量より少ない、請求項1に記載のセキュリティ監視方法。 The security monitoring method according to claim 1, wherein a transmission amount of the transmission information is smaller than a transmission amount of the plurality of observation information.
- 前記複数の観測情報を、ポリシーの判定結果に影響を与えない前記観測情報の数より少ない数の送信情報にまとめる、請求項1に記載のセキュリティ監視方法法。 The security monitoring method according to claim 1, wherein the plurality of pieces of observation information are collected into a smaller number of pieces of transmission information than the number of pieces of observation information that do not affect a policy determination result.
- 前記送信情報の候補を決定し、前記観測状態の数と前記送信情報の候補数を比較し、前記送信情報の候補数が少ない場合に、前記送信情報を送信する、請求項3に記載のセキュリティ監視方法。 The security according to claim 3, wherein the transmission information candidates are determined, the number of observation states is compared with the number of transmission information candidates, and the transmission information is transmitted when the number of transmission information candidates is small. Monitoring method.
- 前記送信情報をあらかじめ決定し、監視手段に送信情報を通知する、請求項1から4に記載のセキュリティ監視方法。 5. The security monitoring method according to claim 1, wherein the transmission information is determined in advance and the transmission information is notified to a monitoring means.
- 前記観測情報と前記送信情報を用いて、それらの情報が、ポリシーを満たすかどうかを判定する、請求項1から5のいずれかに記載のセキュリティ監視方法。 6. The security monitoring method according to claim 1, wherein the observation information and the transmission information are used to determine whether or not the information satisfies a policy.
- 前記観測情報と前記送信情報を用いて、それらの情報が、観測情報のセキュアな組み合わせを定義したセキュリティポリシーを満たすかどうかを判定する、請求項1から5のいずれかに記載のセキュリティ監視方法。 6. The security monitoring method according to claim 1, wherein the observation information and the transmission information are used to determine whether or not the information satisfies a security policy that defines a secure combination of the observation information.
- 送信情報と、送信情報にまとめられた観測情報の組み合わせを用いて、送信された送信情報を観測情報に置き換え、それらの観測情報がポリシーを満たしているかどうかを判定する、請求項6または7に記載のセキュリティ監視方法。 The transmission information and the observation information collected in the transmission information are used to replace the transmitted transmission information with the observation information, and it is determined whether or not the observation information satisfies the policy. The security monitoring method described.
- 送信情報と、送信情報にまとめられた観測情報の組み合わせを用いて、送信された観測情報と送信情報にあわせて、ポリシー内の観測情報を送信情報に置き換え、置き換えられた送信情報がセキュリティポリシーを満たすかどうかを判定する、請求項6または7に記載のセキュリティ監視方法。 Using the combination of the transmission information and the observation information collected in the transmission information, the observation information in the policy is replaced with the transmission information in accordance with the transmitted observation information and the transmission information. The security monitoring method according to claim 6 or 7, wherein it is determined whether or not the condition is satisfied.
- 監視対象システムがセキュアかどうかを判定する基準となるポリシーを格納したポリシー格納手段と、
監視対象システムがセキュアかどうかを判定するために、各機器の情報である観測情報と、その観測情報の分析方法を記述した観測知識が格納された観測知識格納手段と、
前記観測知識格納手段に格納された観測知識を元に監視対象システムの状態を分析するシステム分析手段と、
前記システム分析手段が分析したすべての観測情報を送信する代わりに、送信すべき知識である、送信情報と観測情報との組み合わせを格納した送信知識格納手段と、
前記システム分析手段が分析した観測情報を受け取り、前記ポリシー格納手段からポリシーを受け取り、個々の観測情報を送信する代わりに送信情報を送信してもポリシーの判定に影響を与えないかどうかを、前記送信知識格納手段に格納された情報を基に判定する送信知識判定手段と、
観測情報と、前記送信知識判定手段が、ポリシーの判定に影響を与えないと判定した送信情報とを送信する情報送信手段と、
有するセキュリティ監視システム。 A policy storage means for storing a policy as a reference for determining whether the monitored system is secure;
In order to determine whether the monitored system is secure, observation information that is information on each device, and observation knowledge storage means that stores observation knowledge describing the analysis method of the observation information,
System analysis means for analyzing the state of the monitored system based on the observation knowledge stored in the observation knowledge storage means;
Instead of transmitting all the observation information analyzed by the system analysis means, transmission knowledge storage means for storing a combination of transmission information and observation information, which is knowledge to be transmitted;
Whether the system analysis means receives the analyzed observation information, receives the policy from the policy storage means, and transmits the transmission information instead of transmitting the individual observation information, whether or not the policy determination is affected. Transmission knowledge determination means for determining based on information stored in the transmission knowledge storage means;
Information transmission means for transmitting observation information and transmission information determined by the transmission knowledge determination means not to affect policy determination;
Having security monitoring system. - 前記情報送信手段から送信されてきた観測情報と送信情報を元にポリシー判定が可能なように、観測情報だけで構成された前記ポリシーを、前記情報送信手段が送信した送信情報と観測情報とで構成されるように変換する送信知識変換手段と、
前記送信情報と観測情報が前記ポリシーを満たすか否か判定するポリシー判定手段と、
をさらに有する、請求項10に記載のセキュリティ監視システム。 The policy composed only of observation information is determined by the transmission information and observation information transmitted by the information transmission means so that the policy can be determined based on the observation information and transmission information transmitted from the information transmission means. Transmission knowledge conversion means for converting to be configured;
Policy determination means for determining whether the transmission information and the observation information satisfy the policy;
The security monitoring system according to claim 10, further comprising: - 前記ポリシー格納手段からポリシーを取り出し、該ポリシーを構成する観測情報のうち、複数の観測情報を組み合わせて新しい状態を定義し、複数の観測情報の代わりに送信情報を利用しても、ポリシーの判定に影響が生じない、または、状態数が増加しない組み合わせを抽出し、その対応を送信知識として前記送信知識格納手段に格納する送信知識生成手段をさらに有する、請求項11に記載のセキュリティ監視システム。 A policy is determined even if a policy is extracted from the policy storage means, a new state is defined by combining a plurality of observation information among the observation information constituting the policy, and transmission information is used instead of the plurality of observation information. The security monitoring system according to claim 11, further comprising: transmission knowledge generating means for extracting combinations that do not affect the number of states or that do not increase the number of states and store the combinations as transmission knowledge in the transmission knowledge storage means.
- 監視対象システムがセキュアかどうかを判定するために、各機器の情報である観測知識と、その観測知識の分析方法が格納された観測知識格納手段に格納された観測知識を元に監視対象システムの状態を分析するシステム分析手順と、
前記システム分析手順が分析した観測知識を受け取り、監視対象システムがセキュアかどうかを判定する基準となるポリシーを格納したポリシー格納手段からポリシーを受け取り、個々の観測知識を送信する代わりに送信情報を送信してもポリシーの判定に影響を与えないかどうかを、前記システム分析手順が分析したすべての観測情報を送信する代わりに送信すべき知識である、送信情報と観測情報との組み合わせを格納した送信知識格納手段に格納された情報を基に判定する送信知識判定手順と、
観測情報と、前記送信知識判定手順が、ポリシーの判定に影響を与えないと判定した送信情報とを送信する情報送信手順と、
をコンピュータに実行させるためのセキュリティ監視プログラム。 In order to determine whether the monitoring target system is secure, the monitoring target system is based on the observation knowledge stored in the observation knowledge storage means storing the observation knowledge that is the information of each device and the analysis method of the observation knowledge. System analysis procedure to analyze the condition,
Receives the observation knowledge analyzed by the system analysis procedure, receives the policy from the policy storage means storing the policy serving as a reference for determining whether the monitored system is secure, and transmits the transmission information instead of transmitting the individual observation knowledge Transmission that stores a combination of transmission information and observation information, which is knowledge that should be transmitted instead of transmitting all the observation information analyzed by the system analysis procedure as to whether or not the policy judgment will be affected. A transmission knowledge determination procedure for determining based on information stored in the knowledge storage means;
An information transmission procedure for transmitting observation information and transmission information determined by the transmission knowledge determination procedure not to affect policy determination;
Security monitoring program that causes a computer to execute. - 前記情報送信手順によって送信されてきた観測情報と送信情報を元にポリシー判定が可能なように、観測情報だけで構成された前記ポリシーを、前記情報送信手順によって送信され送信情報と観測情報とで構成されるように変換する送信知識変換手順と、
前記送信情報と観測情報が前記ポリシーを満たすか否か判定するポリシー判定手順と、
をさらに有する、請求項10に記載のセキュリティ監視プログラム。 In order to enable policy determination based on the observation information and the transmission information transmitted by the information transmission procedure, the policy composed only of the observation information is determined by the transmission information and the observation information transmitted by the information transmission procedure. A transmission knowledge conversion procedure for converting to be configured; and
A policy determination procedure for determining whether the transmission information and the observation information satisfy the policy;
The security monitoring program according to claim 10, further comprising: - 前記ポリシー格納手段からポリシーを取り出し、該ポリシーを構成する観測情報のうち、複数の観測情報を組み合わせて新しい状態を定義し、複数の観測情報の代わりに送信情報を利用しても、ポリシーの判定に影響が生じない、または、状態数が増加しない組み合わせを抽出し、その対応を送信知識として前記送信知識格納手段に格納する送信知識生成手順をさらにコンピュータに実行させる、請求項14に記載のセキュリティ監視プログラム。 A policy is determined even if a policy is extracted from the policy storage means, a new state is defined by combining a plurality of observation information among the observation information constituting the policy, and transmission information is used instead of the plurality of observation information. 15. The security according to claim 14, further comprising: causing a computer to further execute a transmission knowledge generation procedure for extracting a combination that does not affect the transmission or the number of states does not increase and stores the combination as transmission knowledge in the transmission knowledge storage unit. Monitoring program.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2010545720A JP5447394B2 (en) | 2009-01-07 | 2009-12-24 | Security monitoring method, security monitoring system, and security monitoring program |
US13/133,722 US20110265184A1 (en) | 2009-01-07 | 2009-12-24 | Security monitoring method, security monitoring system and security monitoring program |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2009-001490 | 2009-01-07 | ||
JP2009001490 | 2009-01-07 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2010079694A1 true WO2010079694A1 (en) | 2010-07-15 |
Family
ID=42316463
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2009/071426 WO2010079694A1 (en) | 2009-01-07 | 2009-12-24 | Security monitoring method, security monitoring system, and security monitoring program |
Country Status (3)
Country | Link |
---|---|
US (1) | US20110265184A1 (en) |
JP (1) | JP5447394B2 (en) |
WO (1) | WO2010079694A1 (en) |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8943364B2 (en) * | 2010-04-30 | 2015-01-27 | International Business Machines Corporation | Appliance for storing, managing and analyzing problem determination artifacts |
JP7373803B2 (en) | 2020-09-29 | 2023-11-06 | パナソニックIpマネジメント株式会社 | Information transmitting device, server, and information transmitting method |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP1936892A4 (en) * | 2005-10-15 | 2009-02-11 | Huawei Tech Co Ltd | A system for controlling the security of network and a method thereof |
US8291483B2 (en) * | 2007-04-30 | 2012-10-16 | Hewlett-Packard Development Company, L.P. | Remote network device with security policy failsafe |
CN101442436A (en) * | 2007-11-20 | 2009-05-27 | 国际商业机器公司 | IP network management method and system |
-
2009
- 2009-12-24 WO PCT/JP2009/071426 patent/WO2010079694A1/en active Application Filing
- 2009-12-24 US US13/133,722 patent/US20110265184A1/en not_active Abandoned
- 2009-12-24 JP JP2010545720A patent/JP5447394B2/en not_active Expired - Fee Related
Non-Patent Citations (2)
Title |
---|
IBM TIVOLI RISK MANAGER KANRISHA GUIDE VERSION 4.2, 31 January 2004 (2004-01-31), pages 1 - 17, 101 TO 105 * |
IBM TIVOLI RISK MANAGER USERS GUIDE VERSION 4.1, 31 December 2002 (2002-12-31), pages 1 - 40, 153 TO 155 * |
Also Published As
Publication number | Publication date |
---|---|
US20110265184A1 (en) | 2011-10-27 |
JP5447394B2 (en) | 2014-03-19 |
JPWO2010079694A1 (en) | 2012-06-21 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP5164073B2 (en) | Communication network design method, program, and recording medium | |
CN111752795A (en) | Full-process monitoring alarm platform and method thereof | |
US11645144B2 (en) | Methods and systems securing an application based on auto-learning and auto-mapping of application services and APIs | |
US8160855B2 (en) | System and method for simulating network attacks | |
CN107800565A (en) | Method for inspecting, device, system, computer equipment and storage medium | |
CN105723378A (en) | Protection system including security rule evaluation | |
CN103209174A (en) | Data protection method, device and system | |
JP5145907B2 (en) | Security operation management system, method, and program | |
US11546356B2 (en) | Threat information extraction apparatus and threat information extraction system | |
Elejla et al. | Labeled flow-based dataset of ICMPv6-based DDoS attacks | |
JP2018509822A (en) | Reliable third-party broker for collection and private sharing of successful computer security practices | |
Itodo et al. | Digital forensics and incident response (DFIR) challenges in IoT platforms | |
US20070214242A1 (en) | Network configuration change evaluation program, network configuration change evaluation device, and network configuration change evaluation method | |
JP5447394B2 (en) | Security monitoring method, security monitoring system, and security monitoring program | |
Maiden et al. | Dualtrust: A distributed trust model for swarm-based autonomic computing systems | |
CN113168460A (en) | Method, device and system for data analysis | |
JP2019204462A (en) | Data processing system, data processing method and program | |
Shi et al. | Checking network security policy violations via natural language questions | |
Jeon et al. | Passive fingerprinting of scada in critical infrastructure network without deep packet inspection | |
Drago et al. | Report of the second workshop on the usage of NetFlow/IPFIX in network management | |
CN108933707A (en) | A kind of safety monitoring system and method for industrial network | |
Syed et al. | Fast attack detection using correlation and summarizing of security alerts in grid computing networks | |
Xie et al. | An architecture for cross-cloud auditing | |
Bull et al. | A flow analysis and preemption framework for periodic traffic in an SDN network | |
CN116436668B (en) | Information security control method and device, computer equipment and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 09837579 Country of ref document: EP Kind code of ref document: A1 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 13133722 Country of ref document: US |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2010545720 Country of ref document: JP |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 09837579 Country of ref document: EP Kind code of ref document: A1 |